We all know GDPR is supposed to come into effect on 25 May 2018, and that there are a number of scare stories out there, but things are now beginning to settle down. What follows is our take on what you need to do. However, the legislation has not yet been passed into UK law, and we, along with everyone else, are feeling our way a bit on this.
- Have a plan
This is the only thing you really must have in place by 25 May – a plan, in writing, to deal with the challenges of GDPR. The following steps and the attached checklist are designed to help you draft that plan. If you think there are things we haven’t thought of – we would love to hear from you. We have tried to write this in plain English, but again, if anything is unclear, we would love to hear from you.
- Appoint a data controller
If you’re a sole practitioner it would be you – if you’re in partnership, best not to leave the office, go on holiday or maternity leave, or your partner(s) will decide it’s you. Under the current rules, on the assumption that you are already registered with the ICO, this will represent no change.
- Establish whether you hold personal data
If you have employees, if you have personal clients – you do. NB GDPR applies to personal data only, not data on businesses or other entities.
- Establish how you will gain the necessary permissions
If you have personal data to enable you to provide your services to your clients or to pay salaries to your employees, it is lawful for you to hold and process that data. For any other reasons – marketing, PR etc. you need to obtain permission from the person concerned and they have to “opt in” – you can’t just have a default assumption that they agree. So no pre-ticked boxes on forms or web pages. Also, be aware that when an employee or client becomes an ex-employee or ex-client the relationship with them changes. It may well be that holding their data remains lawful because there may be statutory reasons for you to hold it, but there may not.
- Access and Transparency
Although it may well be lawful for you to hold personal data, the people concerned – “data subjects” – have rights of access to that data to ensure that it is correct, that it is all necessary for the intended purpose and that it is not being held for an unnecessarily long period. So you have to enable them to have access if they request it, and you have to inform them of their rights of access. The key to this is informing them of their rights in engagement letters or letters of employment. We think it would also be sensible to consider the issuing of disengagement letters when clients move on and equivalent letters when staff move on. You also need to make sure they know who the data controller is, why you need their data, where it will be dealt with and who will have access to it. If you intend to transfer their data to another country, you need to provide details of this and how and why the data will be protected.
- Establish where your data is held and think about security
GDPR applies to all data, not just the electronically stored kind covered by the current rules. The rules are risk based, so you have to consider the risk of personal data being accessed by unauthorised people Data held on paper, should not present much of a problem – filing cabinets with locks as appropriate and suitable archive facilities ought, in the majority of cases, deal with the security issue, but you will have to make sure your systems are appropriate, depending on the sensitivity of the information stored. Data stored, processed and transmitted electronically may present additional problems. You need to know where the data is and what the security risks are, and you need to take steps to mitigate those risks.
- If it’s held on site – can your systems be hacked?
- Does data leave the office on laptops, memory sticks or other devices?
- Where do you keep your backups?
- Is data transmitted by email or other electronic means?
- If you use the cloud, where are the servers? and do you need further permissions?
All of this should form the basis of your plan and, as we said at the beginning you need to have something in writing to show how you intend to proceed before 25 May. Other sources of information This article on AccountingWeb provides excellent sources of additional reading Go Here The guidance on ICAEW’s website is also now not at all bad: Go Here